few days ago I've found .cpanelinfo.php files in all acounts public_html folders on the server. These files are malicious and can be used to execute shell commands on the server or modify users files! You can check this yourself using the following command:

I advise you to remove/disable such files ASAP and reset server root password. On my server these files were uploaded via cPanel, so I have reset passwords for all cPanel accounts too.

Also I want to detect how attacker got access to 'root' account in cPanel and I have a question for cPanel staff: please check the part of logs below, did attacker use accesshash to log in WHM? Or root password was used ? Please advice.